Skip to content
Nuclei Templates

ACM Certificates Pre-expiration Renewal

ID: acm-cert-renewal-45days

Severity: medium

Author: princechaddha

Tags: cloud,devops,aws,amazon,acm,aws-cloud-config

Description

Section titled “Description”

Ensure AWS ACM SSL/TLS certificates are renewed at least 45 days before expiration to prevent service disruptions.

YAML Source

Section titled “YAML Source”
id: acm-cert-renewal-45days
info:
  name: ACM Certificates Pre-expiration Renewal
  author: princechaddha
  severity: medium
  description: |
    Ensure AWS ACM SSL/TLS certificates are renewed at least 45 days before expiration to prevent service disruptions.
  impact: |
    Failure to renew certificates timely may lead to expired certificates causing service access issues or downtimes.
  remediation: |
    Set up Amazon CloudWatch to monitor ACM certificate expiration and automate renewal notifications or processes.
  reference:
    - https://docs.aws.amazon.com/acm/latest/userguide/acm-renewal.html
  metadata:
    max-request: 2
  tags: cloud,devops,aws,amazon,acm,aws-cloud-config
variables:
  region: "us-east-1"


flow: |
  code(1)
  for(let arns of iterate(template.certificatearns)){
    set("certificatearn", arns)
    code(2)
  }


self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      aws acm list-certificates --region $region --certificate-statuses ISSUED --query 'CertificateSummaryList[*].CertificateArn' --output json


    extractors:
      - type: json
        name: certificatearns
        internal: true
        json:
          - '.CertificateSummaryList[] | .CertificateArn'


  - engine:
      - sh
      - bash
    source: |
         aws acm describe-certificate --region $region --certificate-arn $certificatearn --query 'Certificate.[NotAfter, CertificateArn]' --output json | jq -r 'select((.[0] | fromdateiso8601 | mktime) - (now | mktime) < (45 * 86400)) | .[1]'


    extractors:
      - type: regex # type of the extractor
        name: certificate
        internal: true
        regex:
          - '^arn.*'


      - type: dsl
        dsl:
          - '"The AWS ACM Certificate " + certificate +" is about to expire in 30 days"'
# digest: 4b0a00483046022100afa1e5b4ba6aeef0412564db36b6a727b3b10a17c6e90c745eaa7bf211398e18022100c5777c658dfc8695d06f6583b161f77b996454b09af2203bb799d85034fe6e12:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "cloud/aws/acm/acm-cert-renewal-45days.yaml"

View on Github